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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, and 
your file is gone. 





The worst part? You won't know until you | 
absolutely need that file again. Example of one-bit corruption 





THE SOLUTION 


The Mini boasts these state-of-the- 


The FreeNAS Mini has emerged as the clear choice to 
art features: 


Save your digital life. No other NAS in its class offers 


i ry and ZFS bitr 
ECC (error correcting code) memory and ZFS bitrot sieseor Gotti Mora raecseor 


protection to ensure data always reaches disk . Up to 16TB of storage capacity 
without corruption and never degrades over time. - 16GB of ECC memory (with the option to upgrade 
to 32GB) 


, « 2x 1 Gigabit network controllers 
No other NAS combines the inherent data integrity : Ramotemanauementoore (EN) 


and security of the ZFS filesystem with fast on-disk - Tool-less design; hot swappable drive trays 
encryption. No other NAS provides comparable power ISSN re ictal emanecomngured 

and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 
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CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
in the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasn't, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, ixsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 





As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 








FreeNAS 1U 

- Intel® Xeon® Processor E3-1200v2 Family 

« Up to 16TB of storage capacity 

* 16GB ECC memory (upgradable to 32GB) 

« 2x 10/100/1000 Gigabit Ethernet controllers 
« Redundant power supply 


FreeNAS 2U 
- 2x Intel® Xeon® Processors E5-2600v2 Family 
« Up to 48TB of storage capacity 
¢ 32GB ECC memory (upgradable to 128GB) 
« 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface) 
« Redundant Power Supply 











http://www.iXsystems.com/storage/freenas-certified-storage/ 
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EDITOR’S WORD 


Dear Readers, 
ope you are all fine. This issue of BSD magazine is devoted 
to NetBSD. We worked with highly skilled professionals to 
give you many valuable articles. 

Our opening article is written by Diego Montalvo. He wrote about 
his own experiences with NetBSD. Working on the development 
of #pozr, a free developer hosting service, you need to decide 
to use different flavors of BSD and Linux. Yes Linux... . Diego 
decided to tell you how to use NetBSD as the web server. In 
this article Diego will provide you with the steps you will need to 
deploy your own NetBSD cloud server on AWS EC2. You will 
learn more about AWS Basics and how to configure an EC2 
Instance and how to create a NetBSD Virtual Server. 

If you want to read about NetBSD, you need to check the next 
article: Creating a multi-purpose file server for SOHO business 
environments with NetBSD, Samba, NFS, and Vsftpd witten by 
Antonio Francesco Gentile. 

In this article Antonio will address two architectures with respect 
to sharing in the local network: NFS service, historically used 
in UNIX-like OSes, but now also running on Windows platforms 
and the Samba service (currently known as CIFS) typical of 
Windows environments. 

In order to manage access to files remotely, the choice fell on 
the vsftpd daemon configured properly in order to interact with 
SSL certificates and establish encrypted tunnels in which to flow 
the traffic data; for example, for connections of type “roadwarrior”. 

You will find a lot of useful tips here to create the multi-purpose 
file server. 

Please remember to try your skills as a graphic designer and 
read the next article by Rob Somerville. Rob will continue to 
look at graphic design basics, and how to use the most popular 
Open Source graphics software — The Gimp. You will learn in 
this series how to manipulate images like a design pro. 

As always you need to read Rob’s next column to see what 
he prepared for you this time. 

Those are just a few of the articles you will find in the magazine. 
| wish you all good reading and | hope you will learn some new things! 


Best regards, 
BSD Team 
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OGDeploying NetBSD on the Cloud Using 
AWS EC2. Part 1 


Diego Montalvo 

Working on the development of #pozr, a free developer 
hosting service, you need to decide to use different flavors 
of BSD and Linux. Yes Linux.... Diego decided to tell you 
how to use NetBSD as the web server. In this article Diego 
will provide you with the steps you will need to deploy your 
own NetBSD cloud server on AWS EC2. You will learn 
more about AWS Basics and how to configure an EC2 
Instance and how to create a NetBSD Virtual Server. 


10 Creating a multi-purpose file server 

for SOHO business environments with 

NetBSD, Samba, NFS, and Vsftpd 

Antonio Francesco Gentile 
In the UNIX world, there are different ways to implement 
file and folder sharing. In particular, in this article we will 
address two architectures with respect to sharing in the 
local network: NFS service, historically used in UNIX- 
like OSes, but now also running on Windows platforms 
and the Samba service (currently known as CIFS) 
typical of Windows environments. In order to manage 
access to files remotely, the choice fell on the vsftpd 
daemon configured properly in order to interact with SSL 
certificates and establish encrypted tunnels in which 
to flow the traffic data; for example, for connections of 
type “roadwarrior’. 


ee As Backup Servers in 


Siju George 

DragonFlyBSD, the fork of FreeBSD by founder Matthew 
Dillon with the long-term goal of providing transparent 
single system image clustering, supports both the IA-32 
& AMD64 platforms. Previously including pkgsrc from the 
NetBSD project as the package management system, it 
has recently switched to native Dports, DragonFly’s own 
third-party software build system, based on FreeBSD’s 
Ports Collection. This article will describe how HIFX (hifx. 
co.in) uses DragonFly for its backup servers, leveraging 
the features of its HAMMER71 file systems; namely remote 
mirroring, snapshots, pruning, and dedup in two particular 
use Cases. 
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GIMP 
== Getting to Grips with the Gimp. Part 2 


Rob Somerville 
In Our new series on image manipulation and design, 
Rob will continue to look at graphic design basics, and 
how to use the most popular Open Source graphics 
software — The Gimp. You will learn in this series how to 
manipulate images like a design pro. 


<344 Set up a VOIP Server for SIP Calls and 

Protect it From Bruteforce Attacks in 

Ubuntu 12.04 LTS 

Stavros N. Shiaeles 
VoIP is the initials for Voice Over Internet Protocol. 
It involves the transmission of voice signals over Internet 
lines and data networks. VoIP allows users to place phone 
calls from just about anywhere using broadband Internet. 
In this tutorial Stavros N. Shiaeles will show you how 
to set up a VOIP Server using Asterisk 1.8 and install 
FreePBX, a frontend interface for Asterisk, so that you can 
easily manage the Asterisk Server from a web interface 
and make it work without editing configuration files, writing 
dialplans and many other configurations. 


40 Network Analysis On a Storage Area 

Network Using Wireshark 

Sembiante Massimiliano 
Wireshark, originally known as Ethereal, is probably the 
most famous open source packet sniffer and network 
analysis tool available. This application supports 
about 1300 protocols through a vast number of filters. 
Functionalities such as traffic, protocol analysis, and 
packet dissector make it an extremely versatile tool 
for security experts, network engineers, and system 
administrators. This article provides a quick overview of 
using Wireshark in a SAN environment. Although, network 
analyzers are powerful software and can be used to 
troubleshoot complicated issues, at the same time, they 
can be extremely dangerous when misused or activated 
through unauthorized access. 


Column 


44 With every business a target for a 
security attack, are organisations 
finally grasping the security and data 
ee nettle or is the issue still 

eing kicked into the long grass? 
Rob Somerville 
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Deploying NetBSD on 





the Cloud Using AWS 


EC2: Part 1 


Working on the development of #pozr, a free developer 
hosting service, | decided to use different flavors of BSD and 
Linux. Yes Linux... Anyway | decided to use NetBSD as the 
web server. Having usually used FreeBSD, | am now an equal 


fan of both BSD distributions. 


You will need... 

¢« Amazon AWS account 
¢ Terminal 

¢ OpenSSL 


oving forward in this article | will provide you with 
the steps you will need to deploy your own Net- 
BSD cloud server on AWS EC2. 


Registration and Initial Setup 
Register or Log into your Amazon Web Services 
(AWS) account. 

Once you are logged into the AWS account you will see 
a list of all the AWS offerings. For the sake of simplicity 
this article will only cover Elastic Cloud Compute (EC2), 





Amazon Web Services 
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Figure 1. Amazon Web Services 
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You will learn... 

- AWS Basics 

¢ How to configure an EC2 Instance 
¢ Creating a NetBSD Virtual Server 


which provides the deployment services for virtual servers 
in the cloud. (Figure 1) 

Click on EC2 “Virtual Servers in the Cloud”. Before we be- 
gin setting up a new virtual server we will have to setup a Key 
Pair which will allow you to access your server using SSH. 


Note 
lf you do not create a Key Pair you will not be able to ac- 
cess your virtual server. 
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Figure 2. Create Key Pair 
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In the NETWORK & SECURITY section choose the Key 
Pairs option. Next click “Create Key Pair’, name your key 
and click Yes. You will be prompted to save your newly 
created your_key.pem file; save in a directory. (Figure 2) 

We will now begin creating an Amazon Machine Image 
(AMI). Back in the EC2 Dashboard click on the “Launch 
Instance” button. (Figure 3) 


Create Instance 


To start using Amazon EC2 you will want to launch a virtual server, known as an Amazon EC? instance 


ee ye 


Mote: Your inchnoes Wall Wen In the US Eost(h. Winginia) region 


Figure 3. Create Instance 


Inside the Choose an Amazon Machine Image screen, 
we will be accessing Community AMIs and searching 
for all public NetBSD images. (Figure 4) For this article | 
chose the following configuration. 
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Figure 4. Choose an AMI 


NetBSD-x86 64-6.1.3-20140123-0824 ami-1d90ad74 NetBSD 
Ocl23: 64B10 


Choose an Instant Type. 


Note 

Instances range from tiny to very large; the greater the 
processing power and ram the more you will pay. AWS 
provides a handy calculator so you can calculate your 
monthly costs. For new AWS account holders you may 
enroll in the Free Tier program. (Figure 5) 


ECUs vCPU Siem EBS-Optimized Network 
Size ce eta Storage (GIB) aes 
i i (GIB) Available i Performanc 
| micro = up to? 1 0.613 EBS only Very Low 


Micro instances are eligible for the 4W's free usage tier. For the first 12 months following 
your AWS sign-up date, you get up to 750 hours of micro instances cach month. When your 
free usage ter expires or if your usage exceeds the free ter restrictions, you pay standard, 
pay-as-you-go sence rates. 


Leam more about tree usage ter eligibility and restnctions 





Figure 5. Micro Instances 
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The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 





@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CAN I GET CERTIFIED? 


We're pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@ WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 
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Once in Configure Instance Details choose an Availabil- 
ity Zone, us-east-1c for example. When deploying addi- 
tional EBS images make sure they are created in the same 
Availability Zone as your EC2 instance. If not you will not 
be able to attach the extra storage to your instance. 

When creating an instance you will be given the option 
of using Elastic Block Storage (EBS) which in short is an 
attached storage which is independent of the virtual ma- 
chine. EBS provides a layer of data protection, for exam- 
ple if your VM becomes corrupted or must be recreated, 
your EBS can always be reattached to another instance 
without data loss. 

Once in the Configure Security Group screen you will be 
given the option of using a new or existing security group. 
| would recommend creating your own; that way you can 
open and close ports as you see fit. 


Note 

Security groups work as a firewall between open ports 
and your instance. For example web traffic on port 80 
(0.0.0.0/0) or SSH port 22 (0.0.0.0/0). (0.0.0.0./0) allows 
traffic from any ip address. 


In the last screen before you launch your instance you 
will be able to review and edit all options. Once you have 
reviewed your configuration click Launch. You will now 
be prompted to Select an existing key pair or create a 
new key pair. Choose the key pair you created in step 
four of this tutorial. (Figure 6) 
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Select an existing key pair or create a new Key pair 


A key pair consists of a public key inal AWS stores, anda private key file ihat you stove 
ihey allow you fo connect to your ingiance securely For Windows AMIS, the privale key Me is reqy 
lo Gain the password used to log inte your instance. For Linus AMIS. the private key fie allows you to 


,Crw \ ) 
stturdty SSH inko your islance 


Choose an eoxsiineg key paar 


Felect a key pair 


ceego_aws 


#|| acknowledge that | have access to the selected private key file (diego_aws pem), and thai 
without this fle, | won't be able te log inte my instance 


cancel Launch Instances 


Figure 6. Create a New Key Pair 


Check the “I Acknowledge that...” and click Launch In- 
stances. The creation process sh — ould take a few min- 
utes. Once the instance is up and running a green dot will 
appear under the /nstance State tab of EC2 Dashboard. 


Connecting to Your Instance 

Launch the terminal and type the following SSH connec- 
tion command while changing your pem file location and 
EC2 public address. (Figure 7) 
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Resources 

Amazon Web Services: http:/aws.amazon.com 

AWS Free Tier Program: http:/aws.amazon.com/free/ 
The NetBSD Project: http://www.netbsd.org/ 

NGINX: http:/nginx.org/ 











# ssh -v -1i /your-pem-file location/diego/diego aws.pem 


root@ec2-123-12-123-123.compute-1.amazonaws.com 


ae Ei. D Pe 1s) 8 cL. De Ls, 
[ec2-user@ip-16-112-36-125 ~]5 sudo su 
[root@lp-16-112-36-125 ecz-user)]# puppet resource user dlego 
user { ‘diego': 

ensure => ‘absent’, 


ed iy 


i 
[root@ip-16-112-36-125 ec2-user|]? puppet resource user dmontal7 
Tt) ee ee 

a => "present', 

gid => '593', 

groups =>» ['22o0nl1y"], 

a Pe ae ees a ae 

password ee LT teh ewer we] ote ad yl a eae eee ed a) a do elo lg Pd 
a em ea a ee ep wd aes | So 

password_max_age => 99999", 

password_min_age => "6", 

ia a => "/bin/bash', 

uid => "S6i'. 
[root@ip-10-112-36-125 ecz-user |# Write failed: Broken pipe 
dLegogdiego-VirtualBox:-5 ssh -v -i fhome/diega/Documents/dieqo aws .pem root 
i) 123-165.compute-1.amaronaws.com § 


Figure 7. Terminal 


Upon a successful connection you will be presented 
with a pleasant Welcome to NetBSD — Amazon EC2 In- 
stance screen. (Figure 8) 
ad Met I Cah a id 


ea ae a 


eee eee eg ee es | | 
operating system, adapted for running on the Amaron EC? infrastructure. 


The environment is very similar to one provided within a typical Xen dom 
installation. It contains a small, autonomous environment (including a 
compller toolchain) that you can run te build your own systen. 


The Tile system is Lightly populated so you have plenty of space to play wit 
ie 


Should you need a src or pkgsre tree, please use the “bootstrap” script foun 
d 
under fusr to download then. 

MM Me etal tly Te ee) de by 


You ¢an also use the seript to set up 


fusr/bootstrap.sh [src|pkgsrc|binpkg|xbase|xsets ] 


This AMI sends email to the maintainer on first boot, to help get 
an idea of what is in use at any given time. 


ou are encouraged to test this image as thoroughly as possible. ‘Should you 


Figure 8. Welcome to NetBSD Screen 


Having read through this article you should have a basic 
understanding of AWS EC2 and most importantly a fully 
functional NetBSD cloud server. In part two of this article, 
| will cover installation of the NetBSD pkgsrc tree, PHP, 
Nginx and more. So until next time, keep it moving! 


DIEGO MONTALVO 

Diego is the chief architect at #pozr. When he is not coding or building 
web technology, Diego is ranching and skateboarding. He currently re- 
sides in both Hebbronville, Texas and San Diego, California. If you have 
any questions or comments you can contact him at diego@pozr.in. 
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Titania's award winning Nipper Studio configuration 
auditing tool is helping security consultants and end- 
user organizations worldwide Improve their network 
security. Its reports are more detailed than those typically 
produced by scanners, enabling you to maintain a higher 
level of vulnerability analysis in the intervals between 
penetration tests. 


Now used In over 45 countries, Nipper Studio provides a 
thorough, fast & cost effective way to securely audit over 
100 different types of network device. The NSA, FBI, DoD 
& U.S. Treasury already use It, so why not try it for free at 
www.titania.com 
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Creating a Multi-purpose File Server 
for SOHO Business Environments with 








and Vsftpd 


NetBSD, Samba, NES, 


More and more frequently, it is very useful to centralize 
commonly used files on a dedicated server within the 
workplace. This particular host is a defined file server, which is 
where the files containing the templates used for business forms 
or archives relating to company history are stored. A point in 
favor of this approach is the fact that using a restricted number 
of hosts for storage makes it easy to schedule their backups and 
obtain a copy of important files or simple historical archives. 


What you will learn... 

¢ Create a File server with NFS 

¢ Create a File server with CIFS (Samba ) 

¢ Create a File server with Vsftpd and SSL Certificates 


ment file and folder sharing. In particular, in this article 
we will address two architectures with respect to shar- 
ing in the local network: 


) n the UNIX world, there are different ways to imple- 


NFS service, historically used in UNIX-like OSes, but 
now also running on Windows platforms 

¢ The Samba service (currently Known as CIFS) typical 
of Windows environments 


In order to manage access to files remotely, the choice 
fell on the vsftpd daemon configured properly in order 
to interact with SSL certificates and establish encrypted 
tunnels in which to flow the traffic data; for example, for 
connections of type “roadwarrior”. 


a BSD 


What you should know... 
¢ Basic network infrastructure concepts 
- NetBSD kernel compiling 


Samba Server Configuration 

Samba is a widely used open-source software, which al- 
lows users to share resources such as printers and directo- 
ries between hosts on a network. It basically uses the SMB 
(server message block) native Microsoft, which itself is 
based on the NetBios protocol (network basic input output 
system) developed by IBM. Samba packages are available 
in the standard repositories, but to have the latest patched 
version, it’s better to install them using pkgsrc: 


# cd /usr/pkgsrc/net/samba 
Then to launch the installer: 


# make install clean 
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NetBSD, Samba, NFS, and Vsftpd 


To run Samba, we have to start two services daemons, 
smbd and nmbd, that are managed by the configuration 
file /usr/pkg/etc/samba/smb.conf. 

The configuration parameters are supplied in the form 
option = value; the file is divided into sections that define 
a share (share), in addition to the general section [glob- 
al]. Each section is indicated between brackets: [printers]. 
Comment lines are preceded by an asterisk (#) or semico- 
lon (;). Rows of configuration can span multiple lines smb. 
conf using a backslash (\) at the end of the line. The op- 
tions and values are not case sensitive, but if you specify 
a path in the file system, that is case sensitive. To sepa- 
rate a series of values one can use either a comma (,) or 
Spaces ( ). One can also use variables, preceded by the 
percent ( %) within the values (eg, path = /home/%u). 

You can include another configuration file in smb.conf 
with the include option ( e.g. =/usr/pkg/etc/ 
samba/smb.conf.%A). The configuration options fall under 
two basic types: 


include 


¢ Global; appear only in the [global] section and define 
the behavior (very general Samba Server) 

¢ Share; appear in share and define the specific behav- 
ior with regard to the specific share. If they appear in 
the [global] define the default behaviors. 


Any option must be included in a section. These are the 
following special sections: 


¢ [global] Always present, usually at the beginning of 
the file. Defines the default options that apply to all 


Listing 1. Samba configuration file commented line by lineThe 
[global] section 


[global] 

workgroup = wg name; 

Guese eccoune = mobody,; 

netbios = NBSDSMBSRV 

load printers = yes 

printing = bsd 

printcap name = /etc/printcap 

force printername = yes 

security = USER 

allows nests: = i727 020.1 197. os. 338. 0/24 
username map = /usr/pkg/etc/samba/smbusers 
server string = DATA SERVER 

create mask = 0755 


smb passwd file = /usr/pkg/etc/samba/smbpasswd 











www.bsdmag.org 


shares (can be overridden by options otherwise pres- 
ent in the specific sections) and the general parame- 
ters of the server configuration. 

¢ [printers] A special section used to share network ac- 
cess to printers 

¢ [homes] A special section that coincides with the 
home directory of an authenticated user. In fact it is 
sharing with the generic name of the user who logs 
on to Samba. 

¢ workgroup: SAMBA information that must enter the 
linux machine in the specified group ; 

¢ printing: set to allow Samba to use any configuration 
for printers; 

¢ Load printers: loads the list of printers managed by 
the printing daemon. 

¢ netbios: the name by which the server is visible on 
the network. 

¢ security: set to ‘USER’; only authorized users can ac- 
cess via password. 

¢ Allow hosts: indicates the networks where the service 
Is made available; 

¢ Username map: mapping files between samba and 
system users; 

¢ Server string: label that describes the function of the 
server; 

¢ Create mask: managing default permissions on files 
created in the shares; 

¢ Smb passwd file: A file that stores your login credentials; 


The [homes] section 
This section allows users logged on the Windows ma- 
chine to access their Home Directory Linux. 


[homes ] 

Comment = Home directory 
browsable = no 

read only = no 

printable = no 


create mode = 0750 


¢ comment: configures the comment of the shared di- 
rectory on the Windows client; 

¢ browsable: set to no prevents the resource to be 
viewed by all users; 

¢ read only: enables you to write to the directory; 

¢ printable: if it is not a printer you do not enable this 
field; 

¢ create mode: all files created by the user will have 
windows of these preconfigured allowed here. 
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The [public] share 


[public] 

comment = Public Directory 
path = /usr/local/share 
browsable = yes 

read only = no 

public = yes 


create mode = 0777 


The directory /usr/local/share will have the following 
characteristics: 


¢ Will be “visible” and usable by everyone, 

¢ Will be writable 

¢ The files that will be stored will have rwx permissions 
for everyone. 


The [printers] section 


[printers ] 

comment = Printer 

path = /var/spool/samba 
printable = yes 

use client driver = yes 


browsable = yes 





Listing 2. A simple Samba configuration file for a small LAN 


+ Sono LAN smbecont 


[global] 
workgroup = MYGROUP 
server string = Samba %v (%h) 
security = user 


load printers = yes 


[homes] 
comment = Home Directories 
browseable = no 


writable = yes 


[ShareReadOnly] 
comment = DirectorY Read Only 
path=/usr/shared 
browseable = no 
writable = no 
browseable = yes 


valid users = userl 
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To access the print queues to change permissions on 
the directory: 


chmod a + rwx /var/spool/samba 


¢ It sets the folder as “Printers” 

¢ You specify the path 

¢ Specifies that it is a print spooler 

¢ Forces you to use the drivers installed on the client 
¢ Emerges as visible by all users 


[HP -1220 ] 
comment = USB HP 1220 Printer 
path = /var/spool/samba 


browseable = yes 


¢ HP -1220: Indicates the shared printer queue; 

¢ Comment: description of the print queue; 

¢ Path: path to the files of the print queue; 

¢ Browseable: yes is set to be visible to all users. 


To automatically start the services at boot time, you 
must edit /etc/inetd.conf and uncomment the lines: 


netbios-ssn stream tcp nowait root /usr/pkg/sbin/smbd 


netbios-ns dgram udp wait root /usr/pkg/sbin/nmbd 

then restart inetd with: 

/etc/rce.d/inetd restart 

And finally add the following lines to /etc/rc.conf: 
smbd=YES 

nmbd=YES 

samba=YES 

winbindd=YES 

Here is one simple example of a configuration for a small 


LAN: Listing 2. To test the Samba setup, one has to add 
a valid user to the NetBSD system: 


# useradd userl 

Add a Windows user to Samba and set the password: 

# smbpasswd -a -U userl 

Now test the server with your Windows machine. You 


can also browse the content from a windows machine 
with NetBSD smbclient: 
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# smbclient //NbsdSmbSrv/shared_ folder 


NbsdSmbSrv is the IP for the windows machine and 


shared_folder is the shared directory. 








You can also test if your local Samba server is working 
(see Figure 1-3). 


# smbclient -U userl -L localhost 
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Configuring an NFS server on NetBSD 

In this section, we will use NFS to manage a shared folder 
/usr/local/nfsshare on the fileserver, which allows us to 
work on the same files from any computer on the network. 


A small digression: NIS 

NIS (Network Information Service), also known as “Yellow 
Pages Service”, or YP, is a directory management system 
very similar to LDAP and Microsoft Active Directory and is 
used to centralize the configuration files such aS /etc/hosts 
and /etc/passwd. An example of the use of NIS is the cen- 
tralization of accounts to have the same users on each host 
on the network without the hassle of sync files credentials. 

It would be ideal to use a service like YP to ensure that all 
user IDs NFS/group are on the same server as the client. 
Otherwise, it will be necessary to maintain sync periodically. 

To use NFS, make sure that the kernel has active sup- 
port for the NFS share, both on the client and on the serv- 
er. In particular, it will be necessary to uncomment or add 
the following lines in the file kernel: 


file-system NFS # Network File System client 


the server must also have the following option: 


options nfsserver # Network File System server 


NFS setup is very simple. The system manager has to 
simply enter all the directories that they want to export in 
/etc/exports file before starting the NFS daemon. In our 
example we have: 


/usr/local/nfsshare -network 192.168.88.0 -mask 
299.250.0300 =Maprool = Pool 

This will export the /usr/local/nfsshare folder on 

192.168.88.x LAN only and is the required maproot line 

because otherwise the client will not have superuser root 

access. Now, start the daemons and NFS mount daemon 

(mountd and nfsd) as root on your server, in that order. 


root@nfs-server# /etc/rc.d/rpcbind start 
root@nfs-server# /etc/rc.d/mountd start 
root@nfs-server# /etc/rc.d/nfsd start 


root@nfs-server# /etc/rc.d/nfslocking start 


To start NFS at server startup, you need to enter in the 
file /etc/rc.conf: 


nfs server=yes 
rpcbind=yes 
mountd=${nfs server} 


lockd=${nfs server} 


statd=${nfs server} 
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To test the configuration, you can try to mount the folder 
from a client: 


root@nfs-client # mount- t nfs nfs-server:/usr/local/ 


nfsshare /usr/local/nfsshare 


lf everything works correctly, just add all NFS volumes to 
be mounted automatically to /etc/fstab with lines similar 
to the following: 


nfs-server:/usr/local/nfsshare 


/usr/local/nfsshare nfs rw 


To map an NES share in Windows exported from our 
NetBSD server, we can use the mount command, but 


Mier eee mS) Racy at Wizard 







Welcome to the Microsoft Windows 
Services for UNIX Setup Wizard 





This wizard helps you install Microsott Windows Services for 
UNI 






Microsoft Windows Services for UNI provides additional 
features for Windows Server that allow greater interoperability 
with existing UNIS servers. Microsoft Windows Services for 
UNI also allows you to migrate UNIS shell scripts and 
applications to the [nteny environment running on Windows. 










To continue, click Next. 





Figure 4. Setup NSF Client/Server Services on Windows Clients (STEP 1) 
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‘ Remote User Name Mapping Server 
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a User Name Mapping server is not already set up, tt is recommended that you type the name 
of the server where you plan to install Weer Mame Mapping. 


nn 


f@ Local User Name Mapping Server 


IF you have not decided to set up 4 remote User Name Mapping Server, itis recommended that 
wou set up User Name Mapping on this computer. To install User Name Mapping on this 
computer, click Next. Setup will configure User Name Mapping to use simple mapping based 
on how you provide UNI user and group names. 


( Network Information Service [MIS] 


(@ Password and group files 


« Back | Next> | Cancel | 





Figure 5. Setup NSF Client/Server Services on Windows Clients (STEP 2) 
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first we need to install “NFS Client for Windows”. If the 
client OS is Windows 7 Enterprise, Vista Enterprise, or 
Windows 2008, then the NFS Client setup can be do- 
ne from the Add/Remove Software wizard in the Con- 
trol Panel. 

If the client OS is Windows 2000, Windows 2000 Service 
Pack 3, Windows 2000 Service Pack 4, Windows Server 
2003 or Windows XP, then we must download the client 
from this URL: http:/Awww.microsoft.com/en-us/download/ 
confirmation.aspx?id=274. 

lf the required services are up and running on your cli- 
ent, you can now mount the NFS share from the com- 
mand line using the mount command: 


mount \\NetBsdNfsSrv\NfsShareFolder kK: 


ie Microsoft Windows Services for UNIX Pere : 


oelecting Components 


‘You can choose the components of Microsott Windows Services for UNI that 
you want to install. 


Click 4 component to see its description. Click the arrow next to it or press the space bar 
for installation options. 


Components: 


+] Interix SDE. 





Description: 
Sharing files with UNI using NFS. 


« Back Cancel 
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Configure local User Name Mapping using password and group files. 


To provide UNI user and group names, enter the path and file name of the password and 
group files for those users and groups. If you have not copied the UNI password 
[fetc/passid| and group (etc, group] files to this computer, you should do so now and then 
specify the Windows path and name of those files in the boxes below before you continue. 


Password file path and name: 


Group file path and name: 


ee 


Specify the name of the Windows domain that contains the Windows user or group names that 
You Want to map. 


Windows domain name: iia er ee, 7| 
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or by using the mapping resources wizard as shown for 
Samba shares. If NFS client services are not available in 
your OS (Windows 7 standard), you can use the Dokan 
library nfs client. Here is the setup procedure: 

Download and install the Dokan library DokanInstall_X. 
X.X.exe, installing the Microsoft .NET Framework 4 first. 
Download and install Neko Drive NekoDrive_X_X_X./z 
and launch the application, then change the Target Con- 
nection IP address to your server IP and set the version 
to V3 or V4. 

By clicking on “connect”, the client should login to our 
server and to mount the drive in windows, set the Device 
location and select a Disk name. Make sure Devices is set 
to the correct item (e€.g. \\NetBsdNfsSrv\NfsShareFolder), 
and finally, by using the mount button, the drive should 
show up in Windows Explorer (Figure 5). 

For Mac OS X clients users must open up the Disk Util- 
ity and choose File > NFS Mounts... 

Next, they have to click the small plus (+) icon at the bot- 
tom and enter a valid NFS URL (IP + PATH), for example: 
\\NetBsdNfsSrv\NfsShareFolder and enter a Mount loca- 
tion (local mount), for example: /volumes/mynes, then they 
may optionally enable mounts as read-only and, at last, 
click Verify and OK. If everything went fine, they can open 
up Finder and browse to /volumes/myNFS. 


Configuring SSL with vsftpd 

Vsftpd (Very Secure FTP Daemon) is an FTP server. It’s 
lightweight, stable and secure for UNIX-like systems and 
is included in the official repositories, but to enable SSL 
support one must install it using pkgsrc: 


# cd /usr/pkgsrc/net/vsftpd 


Edit makefile to add support for SSL and then launch 
the installer: 


# make install clean 


Starting with vsftpd configuration, one must know that 
most of the settings in vsftpd are done by editing the file 
/etc/vsftpd.conf, which Is well documented, so this sec- 
tion highlights only some important changes that you 
might want to perform. To enable the upload, a specif- 
ic flag must be set to YES in /etc/vsftpd.conf in order to 
enable the changes to the file system: 


write enable = YES 


You must set the following line in /etc/vsftpd.conf to allow 
users to members in /etc/passwad to access the system: 
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local. .enable = YES 


The following line in /etc/vsftpd.conf controls whether 
anonymous users Can log in: 


anonymous enable = NO # Deny anonymous access 
You can set up a chroot environment that prevents the 
user from leaving his home directory. To do this, add the 


following lines to /etc/vsftpd.conf: 


chroot. list enable = YES 
chroot list file = /etc/vsftpd.chroot list 


The chroot list file variable specifies the file that 
contains directives for users to circumscribe. For an 


even more restrictive directive, you can specify the line: 


chroot. local user = YES 





Listing 3. A simple configuration file for vsftpd with SSL support 


+ PUPES  VsSteoa cont 


listen=YES 

anonymous enable=NO 
local enable=YES 
write enable=YES 
chroot_local_ user=YES 


chroot list enable=NO 


# Turn on SSL 

ssl _enable=YES 

force local dara ssl=iis 

EORe oC mLoOce lO gmms ges Mb 

sell tilsvil=vES 

ssl_sslv2=YES 

ssl_sslv3=YES 

require ssl reuse=NO 

ssl_ciphers=HIGH 

rsa_ cert file=/etc/ssl/private/vsftpd.pem 


#listen_port=990 


#force dot files=YES 
hide ids=YES 
max per 1p=2 


max clients=20 
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In this way, local users will be limited by default, and the 
file specified by chroot list file lists the users that 
are not within the restricted chroot. 

You can prevent users from accessing the FTP server 
with the addition of two lines in /etc/vsftpd. conf: 


userlist enable = YES 


userlist file = / etc / vsftpd.user list 


userlist file now specifies the file that lists users who 
are not authorized to log in. If you want to restrict access 
only to certain users, add the line: 


userlist deny = NO 


The file specified by userlist 
ers who are allowed to login. 

You can limit the data transfer rate, and the number of 
client connections per IP and local user by adding the in- 
formation in /etc/vsftpd. conf: 


_ file now contains the us- 
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local _ max rate = 1000000 # Maximum data transfer rate in 
bytes per second 
max clients = 50 # Maximum number of clients that can 
be connected 
max per ip = 2 # Maximum number of connections per IP 
Using vsftpd in standalone mode, or via inetd 
#listen = YES # executable in stand-alone mode 
listen = NO # executable in inetd mode 
To use SSL for the security of FTP, you need to generate 
an SSL certificate as follows: 


# cd /etc/ssl/private 

# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 - 
keyout \\ /etc/ssl/private/vsftpd.pem -out /etc/ssl/ 
private/vsftpd.pem 


# chmod 600 /etc/ssl/private/vsftpd.pem 
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Figure 6. Setup FTPES Client (Filezilla) on Windows (also works in Linux and Mac OSX) 
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Figure 7. Setup FTPES Client (AndFTP ) on Android clients 


The server will conduct you through a series of ques- 
tions about the company and since it is expected to 
have to be used with guarantees of trust (trusted), it will 
be better to get one from companies like Symantec and 
Verisign (Listing 3). 

To test the setup, you have to add the following lines to 


(erc/ Pe.cont. 

vsftpd=YES 

and then start the service with: 
root@ftps-server# /etc/rce.d/vsftpd start 


Finally, try to connect with a client that can handle FTP, 
such as Filezilla (Figure 6). 

lf everything works correctly, you will be prompted to 
accept the certificate and then you can access your files 
(see Figure 7). 

As shown with samba, it’s possible to use android 
phones to connect our secure FTP service. 


Conclusion 

A file server is an important service in networks of any 
size. Today, there are many cloud services like Dropbox 
and Google Drive, but for confidentiality reasons, a com- 
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pany may not want to entrust their data to others. So it is 
essential to be able to rely on cross-platform and robust 
file sharing services. In this article, we wanted to focus on 
three of the most commonly used: FTP over SSL, Samba/ 
CIFS and NFS, and compare and contrast their strengths 
and weaknesses. It is the responsibility of the network ad- 
ministrator to consider the technology best suited to the 
needs of the company from time to time, in order to obtain 
the best compromise between performance and security. 


ANTONIO FRANCESCO GENTILE 
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lab.cosenzainrete.it/) and “Verde Binario” (http://www.verdebinar- 
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DragonFlyBSD Part-1 


As Backup servers in HIFX (hifx.co.in) 


DragonFlyBSD, the fork of FreeBSD by founder Matthew 

Dillon with the long-term goal of providing transparent single 
system image clustering, supports both the IA-32 & AMD64 
platforms. Previously including pkgsrc from the NetBSD project 
as the package management system, it has recently switched 
to native Dports, DragonFly's own third-party software build 
system, based on FreeBSD's Ports Collection. 


What you will learn... 
¢ How HIFX (hifx.co.in) uses DragonFly as its backup servers 


scribe how HIFX (hifx.co.in) uses DragonFly for 

its backup servers, leveraging the features of its 
HAMMER‘1 file systems; namely remote mirroring, snap- 
shots, pruning, and dedup in two particular use cases. 


7 his article by the grace of God endeavours to de- 


The Reasons HIFX uses Dragonfly as its Backup 
Server are 

Rolling release — by following the development 
version 

Development branch is stable enough for most cases. 
lf | Keep an eye on the [Heads UP] mails sent to the Drag- 
onFly users list | can avoid trouble. There is no need for 
major upgrades every six months; | just upgrade little by 
little weekly or monthly as | have time. 


2 500GB disks but no fsck after unclean shutdown 
The hammer file system is designed to work without fscks. 
When working with large disks, this is a major time saver 
after a crash or unclean shut down. 


Sufficient Redundancy using ‘hammer remote 
mirroring’ without RAID parity checks 

HAMMER allows to create PFSes (Pseudo File Sys- 
tems) inside Mother File system which acts as a fully 
mountable file system. PFSes can be created in two 
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What you should know... 


¢ Basic admin skills 


modes: Master & Slave. Each PFS has a “unique-uuid” 
and a “shared-uuid”. If the shared-uuid of a Master PFS 
and a Slave PFS are the same then mirroring (replica- 
tion) is possible between them. The Master and Slave 
can be on two different machines thousands of miles 
apart but connected through the network. Reboots of 
machines hosting either Slave PFS or Master PFS re- 
sumes the replication immediately without long parity 
checks like that of a RAID system. This simplifies offsite 
backups very much. 


Instant (every 5 mins) backup for Windows/Mac OS 
X/BSD/Linux/Solaris users 

Just drag and drop the files you need from backup. All you 
need is an SMB client. You could share the backup files 
using NFS or any other sharing mechanism too. 

This use case includes developers working on small 
projects which last only a month or a bit longer. This type 
of set up will be apt for many organizations which make 
developments on small projects without the use of any 
version control system like Git, Mercurial, Subversion or 
MS VSS. The environment features and backup mecha- 
nism typically are: 


¢ On the development server each project is a Samba 
share in /var/www On a BSD/OS X/Linux system, with 
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typically Apache/Nginx as a web server and MySQL/ 
PostgreSQL as database. 

¢ On the DragonFly backup server a master PFS is 
created with the command 


mkdir /pfs/www5mBak && hammer pfs-master /pfs/www5mBak/ 


www-hot 


¢ Every 5 minutes changes from /var/www from the de- 
velopment server are rsynced with the master PFS 
on the backup server and a snapshot is taken using 
the following cron entry in the DragonFly Server 


*/5 * * * * /usr/pkg/bin/rsync -az --delete rooté 
development-server:/var/www/ root@dragonfly-server-ip:/ 
pfs/www5mBak/www-hot/ && hammer snapshot /pfs/www5mbak/ 


www-hot /pfs/www5mBak “rsync” 


¢ On the DragonFly backup server /pfs/www5mBak IS 
shared using Samba for developers running MAC 
OS X, BSDs, Linux & MS Windows, who can easily 
browse project files every five minutes. From a Win- 
dows Explorer the backup Samba share on Dragon- 
FLY will look like Figure 1. 


The developers can browse the folder for a particular 
time for a particular file(s) backup and drag and drop it to 
the development environment. Each snapshot will have 
the complete set of files and not just the diffs. We also 
serve mysql backups every hour in the following way. 

The Master PFSes in one DragonFly server are mir- 
rored to a slave PFS in another Dragonfly server at a re- 
mote location through the network using ssh. 

This part was the greatest success in the compa- 
ny among developers. They have become very relaxed 
about backups now. 


Search Pobles | [T]~ 
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Figure 1. The backup Samba share on Dragon-FLY 


www.bsdmag.org 


As Backup servers in HIFX 


Automated daily backup of Linux LXC virtual 
servers with optimised storage space 

Another use case is to backup LXC containers to HAM- 
MER PES. In our Linux servers LXC containers reside in 
a logical volume. We take the snapshot of the logical vol- 
umes with LXC containers and rsync from the LVM snap- 
shot to the hammer file system and create a hammer 
snapshot. Thus if a linux server with LXC volume crashes 
it is only a matter of rsyncing back the LXC containers to 
the new server's logical volume. 


De-dup helps in saving space; de-duplication 
implemented in HAMMER helps save storage space 
of backups 

Currently we get a de-dup ratio from 4.01 to 13.78 depending 
on the type of file backed up. A ratio of 13.78 for us means 
117 GB data is referenced while only 8747 MB data is allo- 
cated. It is like storing 117 GB of data in 8.7 GB space. 


¢ http://leaf.dragonflybsd.org/mailarchive/users/2011-07/ 
msg00023.html 
¢ http://dragontlybsd-os.blogspot.in/ 


Variable File System Snapshot Schemes for Master 
and Slave PFSes 

Snapshots of a file system at a particular time show how 
that file system looked at that time. It is possible to config- 
ure different snapshotting schemes for the master and the 
slave. The Master may be snapshotted every 5 minutes 
whereas the slave may be snapshotted every one hour. Al- 
so the state of the filesystem can be accessed live at 30-60 
second boundaries without having to make explicit snap- 
shots, up to a configurable fine-grained retention time. 


Remote Encrypted File System Mirroring using 
“hammer mirror-stream” & SSH 

Data passes from HAMMER PFS Master to a remote HAM- 
MER PFS slave through ssh continuously and when there 
is a change is master if you use “hammer mirror-stream’. 
Since the data passes through ssh there is no need to con- 
figure further security measures for the data in transit. 


Able to Add Volumes to Hammer File System on the Fly 
Ifa HAMMER volume is full then other disks can be added 
to it like the Linux LVM to increase its capacity. 


SIJU GEORGE 

Siju George is Senior Systems Administrator at HIFX IT & Media Services 
Private Limited. Experienced in Systems Administration on OpenBSD, 
FreeBSD, DragonFlyBSD, Debian, Redhat and other flavors of Linux, 
Mac OS X and Microsoft Technologies since 2002. 
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GIMP 


In our new series on image manipulation and design, we will 
continue to look at graphic design basics, and how to use the 
most popular Open Source graphics software — The Gimp. 


What you will learn... What you should know... 


« How to manipulate images like a design pro « General PC administration skills 
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Developing for Amazon Web Services? 
Attend Cloud DevCon! 





June 23-25, 2014 


San Francisco 
Hyatt Regency Burlingame 


www.CloudDevCon.net 





Attend Cloud DevCon to get 
practical training in AWS technologies 
f Develop and deploy applications to Amazon’s cloud 


f} Master AWS services such as Management Console, 
Elastic Beanstalk, OpsWorks, CloudFormation and more! 


f Learn how to integrate technologies and languages 
to leverage the cost savings of cloud computing with the 
systems you already have 


f Take your AWS knowledge to the next level — choose from 
more than 55 tutorials and classes, and put together your 


Register Early own custom program! 
and SAVE! 
f Improve your own skills and your marketability 
as an AWS expert 
f} Discover HOW to better leverage AWS to help your 
A BZ Media Event organization today 


CloudDevCon iil 


my 
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Amazon Web Services and AWS are trademarks of Amazon.com, Inc. 





n the last article we looked at the 

basics of The Gimp and created a 

rose with a reflection. In this tuto- 
rial, we will look further at layers, gra- 
dients, light, text and shadow and cre- 
ate the image “The gimp is great”. 


Step 1 

From File — new (or Ctrl N) create a 
new 640 x 480 image using the 640 x 
480 template [Figure 1 — 2]. 
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Figure 1. Create anew image 
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Figure 2. Our 640 x 480 canvas 
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Getting to Grips with the Gimp - Part 2 
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Step 2 fee etna Eater eaten nett este entities 
Pick a light foreground colour and a 2 3 

light background colour. | have used 
6e53e0 for the foreground and 000000 My (jst) 7 
(Black) for the background [Figure 3]. _" SO0@e@e+sn: 
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Figure 3. Select colours and gradient mode 
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Step 3 EON Rg en 
Select the Blend tool with a radial “** ~~ , = : : F : = 
shape. Ensure the gradient is FG to aoc 3 
BG RGB [Figure 4]. fet] 3 
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Figure 4. Changing the gradient direction with the gradient arrows 
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Step 4 

Move the cursor to half the foreground 
and height of the image (320 x 240). 
Click on the middle of the screen, 
press Ctrl to constrain the angle to 45 
degrees, and drag to the bottom edge 
of the image. This will create a gradu- 
ated background [Figure 5 — 6]. 


BSD 


MAGAZINE 


26 | 


GIMP 
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Figure 5. Using the position indicator to move cursor to the centre of the image 
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Figure 6. The background gradient 
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Getting to Grips with the Gimp - Part 2 
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Step 5 


j i ee er oi 
Click back onto the layers tab andcre- a«¢:.smeaonx 
ate a new transparent layer. Either 4° "f°" "8" * 


right click in the layers area or click on 7 
the New layer icon [Figure 7]. 9 @OMess sans 
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Figure 7. Adding a new layer 
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Using the text tool, click and dragan fo ee 
area in the middle of the screen and 4ee#6 





add the text “The gimp is great.” High- . 
light the text, and change the font = 
size, character spacing and coloursO ques . . 
that a new text layer is created. Don’t gag... el! | 
worry about the exact position, as we) * Be ae | 
can adjust this later. We will now have —— 
three layers as the text tool automati- — w»~ 
cally creates a new layer [Figure 8]. aaa 
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Figure 8. Adding text 
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Step 7 

Click on the text layer and then on 
the move tool and align the middle 
of the centre of the “p” in “gimp” so 
that the brightest area of the gradient 
shines through. 


Step 8 

Click on the transparent layer we made 
earlier. Reverse the background and 
foreground colour by clicking on the 
small arrow between the foreground 
and background. Click on the gradient 
tool and change the fill to Bi-Linear. 
Click inside the “p” and drag at 45 de- 
grees just below the text area. Ensure 
the darker colour is on the right hand 
side of the gradient [Figure 9]. 


Step 9 

Click on the layers tab and then on the 
mode dropdown. Scroll through the 
options and choose the effect you like 
best. | have used the difference mode 
[Figure 10]. 
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Figure 9. Adding another layer 
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Figure 10. The merged layers (Difference) 
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Step 10 

Click back onto the text layer and right 
click on the layer choosing Alpha to 
selection to select the text. Add a new 
transparent layer and click on it [Fig- 
ure 11]. 


Step 11 

Pick a vibrant foreground colour, and 
click on Select — Grow and grow the 
outline by 2px. Press Ctrl, to fill with 
your chosen colour. Drag the layer be- 
low the text layer. 


Step 12 

Select Filters — Light and Shadow — 
Drop shadow and create a 45 percent 
Opacity drop shadow in white. Hide 
the shadow layer [Figure 12 — 13]. 
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Figure 12. Blurring the drop shadow 
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Figure 11. Alpha selection grown with yellow outline 
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Figure 13. Drop shadow in place 
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Getting to Grips with the Gimp - Part 2 


Step 13 

Create a new transparent layer and 
ensure it is enabled. Select Filters — 
Light and Shadow — Supernova and 
create a vibrant pink flare at position 
320 x 240 with Radius and Spokes 50 
and maximum hue [Figure 14 — 15]. 
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Figure 15. Layer on top 


Step 14 

Drag the layer behind Layer #1 and 
select Grain extract mode and 25% 
opacity Adjust so that the centre of the 
nova is in the middle of the “p” [Fig- 
ure 16]. 
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Figure 14. Adding a multi-hue supernova 
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Figure 16. Layer behind text in grain extract mode and decreased opacity 
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Step 15 

Re-enable the shadow layer and drag 
below Layer #2. Adjust the opacity un- 
til the opacity gives the desired effect 
[Figure 17]. 


Step 16 

Save the image as gimp.xcf and ex- 
port to PNG or JPG to use in a web- 
site etc. 


Once you have saved your XCF file, 
experiment with the layers, opacity 
and layer mode. Try different gradi- 
ents blended in different modes. 


ROB SOMERVILLE 
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Figure 17. The final image 
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Resources 

The Gimp website — http://www.gimp.org 

Search Creative commons -— http://search.creativecommons.org 
Deviant art — http:/www.deviantart.com 

Stock.xchng — http://www.sxc.hu 





port, system administrator, developer, systems integrator and IT man- 
ager. He has moved on from CP/M and nixie tubes but keeps a solder- 


ing iron handy just in case. 
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Set up a VOIP Server 


for SIP Calls and protect it from bruteforce attacks in 


Ubuntu 12.04 LTS 


In this tutorial | will show you how to set up a VOIP Server 
using Asterisk 1.8 and install FreePBX, a frontend interface 
for Asterisk, so that you can easily manage the Asterisk 
Server from a web interface and make it work without 
editing configuration files, writing dialplans and many 


other configurations. 


What you will learn... 
¢ installing Ubuntu 12.04 LTS, vi or pico text editor 


OIP is the initials for Voice Over Internet Protocol. 
VV It involves the transmission of voice signals over 

Internet lines and data networks. VoIP allows us- 
ers to place phone calls from just about anywhere using 
broadband Internet. 

Asterisk is an open source framework for building com- 
munications applications. Asterisk turns an ordinary com- 
puter into a communications server. Asterisk powers IP 
PBX systems, VoIP gateways, conference servers and 
more. It is used by small businesses, large businesses, 
call centers, carriers and governments worldwide. Aster- 
isk is free and sponsored by Digium. Now let’s start our 
installation. Note that all shell commands that need to be 
executed on your machine start with “#’. 


What you should know... 


¢ setting up a VOIP server and making SIP calls 


Installing Asterisk 1.8.17 


ftaptitude update 
#aptitude install -y mysql-server 


Setup your root password for MySQL database 


# aptitude update 

#taptitude install -y build-essential linux-headers-*uname 
-r* linux-source bison flex apache2 php5 php5-curl php5- 
ela phps-mysql php-pear php-db php5-gd phpS-<merypt curl 
sox libncurses5-dev libssl-dev libmysgqlclient1l5-dev 


mpg123 libxml2-dev ncurses-dev 


PEBEBBEBBBEPRBEBBBEPREBBRBPREBREBBRBBBREBRBRBBO Configuring mysql-server—-5.5 BRPBEPBEBPBEPREBREBEREBREBBREBRBEBBEEBREBBBB 


BP While net mandatory, it 18 highly recommended that you Set a password for the MyS0L atministrative "roorc™ user. 6 


& 


BP Tf this field is lett blank, the password will not be changed. 


B 
— New password for the MySOL "roeot"” user: 


B 
& 
B 
B 
B 
6 


Figure 1. Prompt to enter your MySQL root password 
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#tadduser asterisk --disabled-password --no-create-home 
--gecos “asterisk PBX user” 


#adduser www-data asterisk 


#cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf_ 
orig 

#sed -i ‘s/*\(User\|Group\).*/\1 asterisk/’ /etc/apache2/ 
apache2.conf 

#/etc/init.d/apache2 restart 

#cd /usr/src/ 

#tar xvjf linux-source-‘echo S$(uname -r) | sed -e “s/\-\ 
Cot xtatbez 

#1ln -s /usr/src/linux-source-‘echo $(uname -r) | sed -e 
Te See 


#cd /usr/src/linux/ 


jusr7srec/ linux 


#make oldconfig 
#make prepare 
#make prepare scripts 


#cd /usr/src/ 


Installing DAHDI 


#twget http://downloads.digium.com/pub/telephony/dahdi- 
linux-complete/dahdi-linux-complete- 2.6.1+2.6.1.tar.gz 

#tar xzvf dahdi-linux-complete-2.6.1+2.6.1l.tar.gz 

#rm -rf dahdi-linux-complete-2.6.1+2.6.1.tar.gz 

#cd dahdi-linux-complete-2.6.1+2.6.1 

#make all 

#make install 

#make config 


#cd /usr/src/ 


Installing ASTERISK 


#wget http://downloads.digium.com/pub/asterisk/releases/ 
asteriek=).6,17.0-rel.tar.oz 

#tar xzvf asterisk-1.8.17.0-rcel.tar.gz 

frm =Cf. asterisk=1.8.1/,0-relctar,gz 

#od asterisk-1.8.17.0-rcl 

#./configure 


#make menuconfig 


select app mysql, app saycountpl, cdr mysql, format mp3, 
res config mysql 

go to Extras Sound Packages 

Select EXTRAS-SOUNDS-EN-GSM 


Save & Exit 
#make 


#make install 


#make samples 
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#cd /usr/src/ 


#1n -s /lib/modules/*echo S(uname -r) | sed -e “s/\-\ 
(.*\)//"~/ /lib/modules/$ (uname -r)/asterisk 
#depmod 


#echo dahdi_ dummy >> /etc/modules 
Installing Asterisk Sounds 


#mkdir /var/lib/asterisk/sounds/ 
#od /var/lib/asterisk/sounds/ 

#twget http://downloads.asterisk.org/pub/telephony/sounds/ 
releases/asterisk-core-sounds-en-wav-1.4.22.tar.gz 
#twget http://downloads.asterisk.org/pub/telephony/sounds/ 
releases/asterisk-core-sounds-en-s1in16-1.4.22.tar.gz 
#twget http://downloads.asterisk.org/pub/telephony/sounds/ 
releases/asterisk-core-sounds-en-gsm-1.4.22.tar.gz 


#twget http://downloads.asterisk.org/pub/telephony/sounds/ 





releases/asterisk-core-sounds-en-g7/29-1.4.22.tar.gz 


#twget http://downloads.asterisk.org/pub/telephony/sounds/ 
releases/asterisk-extra-sounds-en-sln16-1.4.11.tar.gz 
#twget http://downloads.asterisk.org/pub/telephony/sounds/ 
releases/asterisk-extra-sounds-en-wav-1.4.11.tar.gz 
#twget http://downloads.asterisk.org/pub/telephony/sounds/ 
releases/asterisk-extra-sounds-en-gsm-1.4.11.tar.gz 
#twget http://downloads.asterisk.org/pub/telephony/sounds/ 


releases/asterisk-extra-sounds-en-g7/729-1.4.11.tar.gz 


#tar xzvf asterisk-core-sounds-en-wav-1.4.22.tar.gz 
#tar xzvf asterisk-core-sounds-en-s1n16-1.4.22.tar.gz 
#tar xzvf asterisk-core-sounds-en-gsm-1.4.22.tar.gz 


#tar xzvf asterisk-core-sounds-en-g729-1.4.22.tar.gz 


#tar xzvf asterisk-extra-sounds-en-sinl6-1.4.1l.tar.gz 
#tar xzvf asterisk-extra-sounds-en-wav-1.4.1l.tar.gz 
#tar xzvf asterisk-extra-sounds-en-gsm-1.4.1l.tar.gz 


#tar xzvf asterisk-extra-sounds-en-g729-1.4.11l.tar.gz 














#rm -rf asterisk-core-sounds-en-wav-1.4.22.tar.gz 
#rm -rf asterisk-core-sounds-en-sln16-1.4.22.tar.gz 
#rm -rf asterisk-core-sounds-en-gsm-1.4.22.tar.gz 
#rm -rf asterisk-core-sounds-en-g7/29-1.4.22.tar.gz 
#rm -rf asterisk-extra-sounds-en-sln1l6-1.4.11.tar.gz 
#rm -rf asterisk-extra-sounds-en-wav-1.4.11.tar.gz 
#rm -rf asterisk-extra-sounds-en-gsm-1.4.11.tar.gz 
#rm -rf asterisk-extra-sounds-en-g7/29-1.4.11.tar.gz 
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Fix up directory use and permissions for asterisk Install phpmyadmin to manage mysql 
#chown -R asterisk:asterisk /var/lib/asterisk/sounds/ #cd /usr/srec 
#mkdir /var/run/asterisk #wget http://sourceforge.net/projects/phpmyadmin/files/ 
#chown asterisk:asterisk -Rv /var/run/asterisk phpMyAdmin/3.5.2.2/phpMyAdmin-3.5.2.2-all-languages. 
#chown asterisk:asterisk -Rv /etc/asterisk Cat GZ 
#chown asterisk:asterisk -Rv /var/lib/asterisk #tar -xzvf phpMyAdmin-3.5.2.2-all-languages.tar.gz 
#chown asterisk:asterisk -Rv /dev/zap #rm -f£ phpMyAdmin-3.5.2.2-all-languages.tar.gz 
#chown asterisk:asterisk -Rv /var/log/asterisk #mv phpMyAdmin-3.5.2.2-all-languages /var/www/phpmyadmin 
#chown asterisk:asterisk -Rv /var/spool/asterisk 

Installing FreePBX 
Moh fix 

#cd /usr/src/ 
#iln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3 #wget http://mirror.FreePBX.org/FreePBX-2.9.0.tar.gz 
#chown asterisk:asterisk /var/lib/asterisk/mohmp3 #tar -zxvf FreePBX-2.9.0.tar.gz 


#rm -rf FreePBX-2.9.0.tar.gz 
Create asterisk logrotate 
#configure FreePBX 
#touch /etc/logrotate.d/asterisk #cd FreePBX-2.9.0 
#vi /etc/logrotate.d/asterisk 
Setup databases for FreePBX use 


Add the lines below: #mysqladmin -u root -pENTER YOUR MYSQL ROOT PASSWORD HERE 
/var/log/asterisk/*log { create asterisk 

missingok #mysqladmin -u root -pENTER YOUR MYSQL ROOT PASSWORD HERE 
rotate 5 create asteriskcdrdb 

weekly #mysql -u root -pENTER YOUR MYSQL ROOT PASSWORD HERE 
create 0640 asterisk asterisk asterisk < SQL/newinstall.sql 

posCrotate #mysql -u root -pENTER YOUR MYSQL ROOT PASSWORD HERE 
/usr/sbin/asterisk -rx ‘logger reload’ > /dev/null 2> / asteriskcdrdb < SQL/cdr mysql table.sql 

dev/null #mysql -u root -pENTER YOUR MYSQL ROOT PASSWORD HERE 

endscript <<-END PRIVS 

} >GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@ 
/var/log/asterisk/full { localhost IDENTIFIED BY “ENTER YOUR ASTERISK DB | 
missingok PASSWORD HERE”; 

rotate 5 >GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@ 
daily localhost IDENTIFIED BY “ENTER YOUR ASTERISK DB | 
create 0640 asterisk asterisk PASSWORD HERE”; 

postrotate >flush privileges; 

/usr/sbin/asterisk -rx ‘logger reload’ > /dev/null 2> / >END_ PRIVS 

dev/null 

endscript Reconfigure php for FreePBX 

} 
/var/log/asterisk/cdr-csv/*csv { #cp -v /etc/php5/apache2/php.ini /etc/php5/apache2/php. 
missingok ini-orig 

rotate 5 #cp /etc/php5/apache2/php.ini /etc/php5/php.ini 

monthly #rm —rf /etc/php5/apache2/php.ini 

create 0640 asterisk asterisk #rm -rf /etc/php5/cli/php.ini 

} #iln -s /etc/php5/php.ini /etc/php5/apache2/php.ini 


#ln -s /etc/php5/php.ini /etc/php5/cli/php.ini 


#sed -i “s/\(upload_max filesize *= *\)\(.*\)/\120M/" /etc/ 
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php5/php.ini Set ARI admin password 
#sed -i “s/\(memory limit *= *\)\(.*\)/\1100M/” /etc/php5/ 
php.ini #sed -i “s/ari_password/YOUR_ARI PASSWORD HERE/” /var/www/ 


html/recordings/includes/main.conf.php 
Fix up directory use and permissions for asterisk 
Start amportal at boot 



































#mkdir /var/www/html/ #echo “/usr/local/sbin/amportal start” > /etc/rc.local 
#chown asterisk:asterisk -Rv /var/www/html #echo “exit 0” >> /etc/rc.local 
# configure amportal Start FreePBX 
#Cp -v amportal.conf /etc/amportal.conf 
#echo “AMPDBUSER=asteriskuser”>> /etc/amportal.conf #/usr/local/sbin/amportal start 
#echo “AMPDBPASS=ENTER YOUR ASTERISK DB PASSWORD HERE” >> 
/etc/amportal.conf To check if FreePBX is running, we go to our browser 
#echo “AMPWEBADDRESS=ENTER YOUR IP ADDRESS HERE” >> /etc/ and enter the URL: http:/server_ip/html/admin (Figure 
amportal.conf 2). The default username is admin and password admin 
#echo “AMPMGRPASS=ENTER YOUR ASTERISK MGR PASSWORD HERE” to login to the admin menu. 
>> /etc/amportal.conf Now let’s create SIP accounts so we can call from SIP 
#./start_asterisk start to SIP. We click on the FreePBX panel. The link extension 
#./install_amp will direct you to “Add an Extension Page” (Figure 4). 
FreePBX Admin Reports | Panci Recordings | Help 
stup Tools 
| Admin ; 
een Se Add an Extension 
Processor ; el 
Lowd average en aa Please select your Device below then click submit 
ee = 
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——— Bhp tenary 7% Fealure Codes ane = 
Voueemail Admin = ee ai 
Administrators i= Disks General Settings | 
ee A Total active calls Oulbound Routes Device Generic SIP Device is) 
Fap Charme! Dats oe | TunKS >| 
ae Voicemail Admin Submit 
FreePaX Connections Administrators 
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Figure 2. FreePBX 2.9.0.7 running after installation Figure 4. Add an Extension FreePBX page 
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We click submit on this page. In the new page that 
opens, we fill User Extension with the number that you 
want to have for the User, the Display Name that will show 
when this user calls you, and the secret password it will 
use to register to the Asterisk server. It is best to use a 
long password with both lower and upper case letters and 
special characters like “#$%*””. (Figure 5) 

After we create our SIP accounts, we need phones in 
order to make SIP calls. There are softphones for smart- 


FreePBX Admin Reports Panel Recordings Help 
FreePae?oo7e oe 16d. 10 : : = . : 


Tools | 


—_ Add SIP Extension 
FreePGk System Status 

Riche Aven 

ASTM d Extension 

Feature Codes 

General Settings 

Sutbound Routes User Extension 12? 
Trunks Display Name Your Name or What you want 
Volcemall Admin CID Num Alias 

Adiminisirabors SIP Alias 

inbound Call Control 

InBAUNE Reutes Fatension Opiicns 

Zap Channel OIDs 

Musi ori Herd Outbound CID 

System Recordings Ring Time Default| ~| 

Call Forward Ring Time Defaute || 


Outbound Concurrency Limit |No Limit |+] 


Call Waiting Fnable | +| 
Call Screening Disable | 
Pinless Dialing Disable | +| 
Emergency OID 
ig 1 OCI 
DID Description 
Add Inbound DID 
Add Inbound CID 
Device Options 
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rit No - RFC3581 [| 


Figure 5. Create a user extension for SIP calls 
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Figure 6. X-Lite for windows softphone 
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phones and computers and also hardware VOIP Tele- 
phones. One very good SIP softphone for Windows is 
XLite (http:/www.counterpath.com/x-lite.html). For Linux 
and many other systems, it is Linphone (htto:/www.lin- 
phone.org). There are many other softphones. A search 
on the internet using the keywords “free voip softphones” 
will reveal many results. You can figure out how to config- 
ure them and make calls by browsing the website of the 
softphone that you choose. A good idea is to buy a hard- 
ware VOIP phone so that you can call directly without the 
need of a computer. 


SECURING ASTERISK FROM SIP BRUTEFORCE 
ATTACKS 
To secure Asterisk from bruteforce attacks that try to find 
an extension number and password, we will use Fail2Ban. 
Fail2Ban works by scanning log files and then taking ac- 
tion based on the entries in those logs. 

We are implementing Fail2Ban with a configuration to 
prevent SIP brute force attacks against our Asterisk PBXs. 


Installing Fail2Ban 


#aptitude install fail2ban 
#od /etc/fail2ban/ 


Configuring Fail2Ban 

#vi jail.conf 

add after 

[apache-overflows ] 

enabled = true 

Pore = 2985,29443 

filter = apache-overflows 

logpath = /var/log/apache*/*error.log 
maxretry = 2 


the text below 


[asterisk-iptables] 


enabled = true 
filter = asterisk 
action = iptables-allports[name=ASTERISK, protocol=all] 


sendmail-whois[name=ASTERISK, dest=root@ 
localhost, sender=fail2ban@localhost] 


logpath = /var/log/asterisk/messages 
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maxretry = 3 


bantime = 96400 


then 


#cd /etc/fail2ban/filter.d/ 
create a file asterisk.conf 


#touch /etc/fail2ban/filter.d/asterisk.conf 


And add the lines below in this files save and close it 


#Fail2Ban configuration file 
if 

if 

# SRevision: 250 §$ 

if 


[INCLUDES ] 


# Read common prefixes. If any customizations available -- 
read them from 
# common.local 


#before = common.conf 


[Definition] 

# daemon = asterisk 

# Option: failregex 

# Notes.: regex to match the password failures messages 
in the logfile. The 

t host must be matched by a group named “host”. 
The tag “<HOST>” can 


h be used for standard IP/hostname matching and 


is only an alias for 


it (?:::£{4,6}:) 2? (?P<host>\St+t) 
# Values: TEXT 
i 


failregex = Registration from ‘.*’ failed for 
*SHOol a(S (U=9) 4 ly oh2? = Wrong pagaword 
Registration from ‘.*’ failed for 
‘<HOST>(: [0-9] {1,5})?’ - No matching peer found 
Registration from ‘.*’ failed for 
*<HOCT>S (210-9) 11,5)) 2 — Device does: not macehn ACL 
Registration from ‘.*’ failed for 
‘<HOST>(: [0-9] {1,5}) 2?’ - Username/auth name mismatch 
Registration from ‘.*’ failed for 
‘<HOST>(: [0-9] {1,5})?’ - Peer is not supposed to 


register 
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NOTICE.* <HOST> failed to authenticate as 
Vi «nS 
NOTICE.* .*: No registration for peer ‘.*’ 
(from <HOST>) 
NOTICE.* «*$ Host <HOST> tarléed MDS 
authentication for ‘.*’ (.*) 
VERBOSE.* logger:c: =— .*1P/<HOST>=.* Playing 
‘ss-noservice’ (language ‘.*’) 
# Option: ignoreregex 
# Notes.: regex to ignore. If this regex matches, the 
line is ignored. 
# Values: TEXT 
# 
ignoreregex = 


then restart fail2ban 
f/GLe/init.d/far1l7ban, restart 
Also keep in mind 


¢ Install a basic firewall to protect your ports and leave 
specific access to your server per IP. 

¢ Access your FreePBX remotely using https. For this, 
you need to install certificates on Apache. In this tuto- 
rial, the Apache is using plain http. 

¢ Protect your FreePBX folder using htaccess and if is 
possible from static IP. 

¢ Don’t use the default port 5060 for Asterisk. 

¢ You can also extend your Asterisk to make calls to land- 
lines and mobiles using trunks and outbound routes. 
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Network Analysis Ona 


Storage Area Network 
Using Wireshark 


Wireshark, originally known as Ethereal, is probably the 
most famous open source packet sniffer and network 


analysis tool available. 


What you will learn... 
¢ Howto use Wireshark ina SAN environment 


through a vast number of filters. Functionalities 
such as traffic, protocol analysis, and packet dis- 
sector make it an extremely versatile tool for security ex- 
perts, network engineers, and system administrators. 
Wireshark can be used during a proactive analysis to 
identify potential network bottlenecks, to monitor “live” what 
is happening to data flow, and to decode packets in transit, 
displaying information in readable format. The tool can be 
installed on any computer connected to the network and 
equipped with a NIC card. Using specific API or libraries, 
such as WinPcap under Windows or libpcap for Unix, it en- 
ables data capture and allows analysis of packets travelling 
over the carrier. Commonly, Wireshark is used on Ethernet 
technology or Wireless networks, but it's also possible to 
use it for a SAN (Storage Area Network) to analyze FCP 
(Fiber Channel Protocol) over Optical Fiber Cables. 


ik application supports about 1300 protocols 


The Storage Area Network Architecture 
SAN (Storage Area Network) is generally defined as a 
dedicated storage network using Fibre Channel technol- 
ogy to provide disk volumes on the target host. 

The SAN environment can be designed to have a disk 
array directly attached to a host or through a SAN Switch 
(a SAN Network Director similar to the Ethernet Switch) in 
order to connect multiple hosts to a single array and enable 
Business Continuity and Disaster Recovery capabilities. 
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What you should know... 


¢ Basic security skills 


Disks’ capacities are presented as logical volumes 
called LUNs (Logic Unit Numbers). The provisioning is 
performed by connecting the Array, Switch and HBA (Host 
Bus Adapter, a fiber card adapter installed on the Host 
system) using two different operations called LUN Mask- 
ing and Zoning (Figure 1). 

With Zoning, we connect the ports of the devices, also 
called initiators, to be logically linked. While performing 
the LUN Masking, we present the LUN (disk capacity) to 
the target host. 


server Systems 





FC Cables 


ie 


Storage Systems 








Figure 1. Fiber Channel Zoning 
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Network Analysis On a Storage Area Network Using Wireshark 


The SAN directors are accessible by Storage and Net- 
work Administrators via the Terminal Access Controller 
Access-Control System (TACACS) or the Remote Au- 
thentication Dial In User Service (RADIUS). 

The main difference between NAS and SAN volume 
provisioning systems is the protocol used to provide stor- 
age capacity. NAS uses NFS or CIFS protocols, while 
SAN uses the FCP (Fiber Channel Protocol). 


Fiber Channel Protocol 

The FCP (Fibre Channel Protocol) is a transport proto- 
col similar to TCP/IP, approved as ANSI standard around 
1994. FCP mainly transports SCSI commands using the 
Optical Cable as a carrier (Figure 2). 

This protocol was invented to enable higher perfor- 
mances and distance insensitivity, to facilitate the system 
boot from external devices and support enterprise storage 
flexibility and scalability. 


Fiber Channel Traffic Analysis 

Network analysis on a fiber channel is not the same as on 
the Ethernet. There’s no equivalent promiscuous mode for 
nodes, so you can't listen to traffic moving through the net- 
work. To achieve traffic analysis, you have to tap into the 


ie 
==" ai 





Figure 2. Fiber Cable 


Figure 3. Typical SPAN to PAA Configuration 
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network between the source and destination ports you wish 
to analyze. A dedicated hardware is necessary to “read” the 
packets and specific software to analyze the frames. 

Some examples of external frame analyzers are: Xgig 
Protocol Analyzer Family from JDSU or LeCroy FC Pro- 
tocol Analyzers. 

FC frame analyzers are often accompanied by a dedi- 
cated TAP (Traffic Access Point) network hardware. This 
device is physically inserted into the network and when 
turned on, it copies all frames headed for a specific port to 
a specific TAP port. Using TAP hardware means that the 
frame analyzer can be plugged into the TAPped port and 
then removed without causing an interruption in the FC 
network flow. Of course, in order to initially install the TAP 
hardware, you have to interrupt the network flow. 

Preferably, these devices should be permanently con- 
nected, because each time you insert and remove the an- 
alyzer, you interrupt the FC network flow. This may end 
up in serious repercussions for the system, such as Data 
Loss and Kernel Panic. 

In some cases, this has been made easier by Vendors 
such as Cisco and Brocade, providing a Switched Port 
Analyzer (SPAN) feature, which copies most traffic going 
to a specific port to another switch port “called mirror port.” 
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Figure 4. Setting up Wireshark 
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In that case, the frame analyzer or PAA (Protocol Analyzer 
Adapter) can be plugged into the SPAN switch port and 
the traffic flow can be analyzed. (Figure 3) 

Cisco and Brocade provide native command line tools 
to allow local fiber channel control traffic passing through 
the local supervisors to be copied into a text file that is 
stored in a chosen location on the switch or redirected to 
an IP Address. 

The default behavior is to store the output in a volatile 
storage area. This can later be copied to a remote server 
for analysis with Wireshark. 

It is also possible to specify a remote IP address to send 
the data to, and Wireshark can be used to analyze the 
data in real time, as It’s collected. 

Cisco MDS Switches with the SanOS operating system 
provide an FC Analyzer command line called: fcanalyzer 
(portlogshow is the command line on brocade). 

In order to configure the system to perform traffic analy- 
sis, we must configure the Switch in passive remote mode 
using the command line as follows: 


MDS3 (config) # fcanalyzer remote 172.xxx.xxx.Xxx 
MDS3 (config) # exit 
MDS3# show fcanalyzer 
PassiveClient = 1/2.xxx.xxx. xxx 
MDS2# 
coer Wel Pe Lee 
Tact ries Annee 
pe rH ee ee a 


eee 
at ee a ed) eee 


el 
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Figure 5. Remote Connection via Command Line Interface 
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Figure 6. Host Login Trace 
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Next, we instruct Wireshark to connect to it remotely us- 
ing the graphical interface (Figure 4). Or, we may try to 
connect it using the Wireshark CLI (Figure 5). Now, we 
are ready to start a new capture session and verify which 
type of raw data we can get out of the FC analyzer. 

Wireshark can capture a huge amount of information, 
when installed between the disk array and the host machine. 
It could potentially intercept all the SCSI commands passing 
through these two devices. At the same time, it is possible 
to inspect what is happening at the switch level and use the 
data for troubleshooting and debugging purposes. 

During a live capture session, we can monitor the Fabric 
behavior, the Zone-sets operations, or we can display which 
initiators and nodes are currently active and enabled. 

It is possible to verify volumes presented to the hosts and 
potentially reverse engineer the entire SAN configuration. 

lf we can manage to identify all the Zoning and Masking 
setup and if the Switch is using features such as VSAN 
(Virtual SAN similar to VLAN in Ethernet Networks) or IVR 
(Inter-VSAN Routing), we can trace all the members’ de- 
vices existing in all of the SAN area including all the SCSI 
command dialogs. 

With the help of customized filters, it is possible to use 
Wireshark for troubleshooting purposes and display (for 
example, merge conflicts, Fabric Login status, Zoning fail- 
ure, and so on). Agood example is visible in Figure 6. We 
can see a live capture session with Wireshark tracing a 
Host Login event. It is possible to trace the entire “dia- 
log” between the Host and the Remote Array through the 
Switches. There are two active windows in Wireshark: 


¢ Transmit Trace 
¢ Response Trace 


The first one is tracing the FCP/SCSI transmission dia- 
log and the second traces the responses. 

In the first window, we can see LUNs (remote disks) are 
in “inquiry status” (Seeking to log on to target host) and 
the FC initiator is attempting to initiate the FLOGI (a link 
service command that sets up a session between two par- 
ticipants’ devices). 

We can verify the positive response in the second win- 
dow. The Login request is accepted and we can see the 
positive response. The trace window is now displaying 
that LUNs are reported in good status, hence available to 
be mounted on the target Host. 


Conclusions 

This article provides a quick overview of using Wire- 
shark in a SAN environment. Although, network analyzers 
are powerful software and can be used to troubleshoot 
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complicated issues, at the same time, they can be ex- 
tremely dangerous when misused or activated through 
unauthorized access. 

Sniffers are difficult to detect and can be applied almost 
anywhere within the network under analysis, which makes 
it one of the hackers’ favorite tools. 

We need to bear in mind that NO Firewalls or IDS are 
present in a SAN environment; thus it is not possible to fil- 
ter traffic or identify intruders easily. 

The Login of a “new” device in the fabric is never reported 
as a malicious activity and poorly monitored. Moreover a vol- 
ume can be mounted and shared over multiple hosts and, 
in most cases, there is no event alert that traces the activity. 

It’s true that SAN protocol presents all the data at block 
level, but it is still possible to capture and dump, in a sepa- 
rate storage area, a large quantity of traffic to attempt file 
reconstructions later. 

Using Wireshark to perform SAN network cartography 
may be a good starting point to perform further attacks. 
One may be able to use the information gathered to re- 
configure Zoning and Masking, mount the target volume 
on a different Host, and gain access to stored data. 

FCP is a protocol that does not provide encryption, thus 
all the data travelling is potentially exposed. 

Remember to handle all the information gathered with 
Wireshark carefully in order to avoid data leakage. We 
should store all the captured files securely, possibly in en- 
crypted volumes and never forget that sniffing is an illegal 
activity when performed without authorization. 
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Appendix 1 

¢ http://www.cisco.com/en/US/docs/switches/datacenter/ 
mds9000/sw/4_1/configuration/guides/cli_4_1/tsf.html 
http://en.wikipedia.org/wiki/Fibre_Channel 
http://en.wikipedia.org/wiki/Fibre_Channel_Logins 
http://en.wikipedia.org/wiki/Fibre_Channel_zoning 
http://www.jdsu.com/en-us/Test-and-Measurement/ 
Products/a-z-product-list/Pages/xgig-protocol-analyzer-fam- 
ily-overview.aspx 
http://teledynelecroy.com/protocolanalyzer/protocolstan- 
dard.aspx?standardid=5 
http://www.brocade.com/products/all/switches/index.page 
http://www.cisco.com/en/US/products/hw/ps4159/ps4358/ 
products_configuration_example09186a008026eb55.shtml 
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With Every Business a Target for a Security 
Attack, are Organisations Finally Grasping the 
Security and Data Protection Nettle or is the 
Issue Still Being Kicked Into the Long Grass? 


found in a major IT system prior to launch which was 

duly taken offline and a more secure temporary solu- 
tion implemented and rolled out in double quick time. For- 
tunately there was no business or data protection impact, 
and we even managed to score a pyrrhic victory by get- 
ting the vendor to admit that this issue was indeed an is- 
sue, and they have gone away to think about solving it. | 
suspect though that the offending piece of software will ul- 
timately end up as abandon-ware as the cost of really fix- 
ing it properly will be so prohibitive that the vendor will be 
forced to pass the costs on to the customer base, making 
the project financially unsupportable. Sadly, it was only a 
matter of time. Our IT department had valiantly raised our 
heads above the parapet on many occasions about is- 
sues with this particular vendor, but due to internal politics 
it was decided to carry on regardless. Finally the penny 
dropped, and it looks like a more appropriate technical 
solution may be rolled out sometime in the future. One for 
instance that will have a decent API, something that the 
vendor in question refused to provide as it was not in their 
commercial interests. They would far prefer to supply a 
proprietary integration solution at a cost of tens if not hun- 
dreds of thousands. 

While | am happy that this issue is now being addressed, 
itis by no means a victory. It wasn’t until the weight of evi- 
dence was so overwhelming that the decision was tak- 
en, and so much pain could have been avoided if the 
professional opinion of IT had been respected in the first 
place. The problem comes back to the classic disconnect 
between IT and management — and the army of depart- 
ments that want to live in their own little silo with tech- 
nological autonomy. This is the danger when complex 
devices and systems are marketed in the same way as 
block box disposable consumer goods. Nobody wants to 
think about what goes on under the hood, and those that 
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) have just had a very busy week. Security flaws were 
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support and manage these systems are often regarded 
more as technicians than engineers. 

In reality, the word engineer is derived from the Latin 
ingeniare (“to contrive, devise”) and ingenium (“clever- 
ness’). The word technician is a modern construct. To 
start with, there is a lot of professional jealousy — often on 
the part of formally qualified engineers — when IT adopts 
the word “engineer” rather than “technician”. Woe be- 
tide the skilled programmer or developer who has not got 
a technical qualification to their name adopting the title 
“Software engineer’. This professional snobbery extends 
through the management layers, often with the mantra 
“Paper qualifications good — experience alone bad”. The 
most acclaimed and innovative piece of engineering in hu- 
man history — the wheel — was invented at the latest be- 
tween 6500 and 8500 years ago. There is no record of the 
inventor’s gender, but | doubt if they had any professional 
or educational qualifications to their name. 

No, the problem lies in the formalised, metricated, quan- 
tified, and qualified society we live in. There is no longer 
any creative space for the innovator, the idealist, the vi- 
sionary or common sense unless of course they are will- 
ing to work within the strict confines of finance, regulation, 
management, censorship, or control. That is why whistle- 
blowers and creatives are in such short supply. If you have 
the right position (i.e. one with clout), you can apparently 
defy the laws of the universe — but only for a short while 
until you are found out. Then the PR mantra of “Lessons 
learned” and a “One off incident” are wheeled out, unless 
of course the regulator or the justice system bites and then 
you are really in trouble. The Information Commissioner’s 
Office (ICO) has fined the charity British Pregnancy Ad- 
vice Service £200,000 for exposing personal data to a ma- 
licious hacker via their outsourced website. While | have a 
great deal of sympathy for the apparent injustice of a char- 
ity being fined for a data protection breach, the disconnect 
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is obvious. The trustees placed their trust in 
a third party who had no real loyalty to 
the organisation other than to provide 
a website, and knowing the extreme 
financial pressures placed on chari- 
ties and the public sector, there would 
have been a very tight budget. So no 
room for penetration testing, a code 
audit or probably even a decent 
specification that took into account 
the data protection risks in such a 
politically charged arena. The BPA 
management team will have a harsh 
lesson to learn on 
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pushing the envelope. IT professionals have no such lati- 
tude. Systems are ruthless, almost psychotic in their lev- 
el of un-forgivenesses. A full stop in a wrong place in a 
line of code, an unreliable piece of hardware or a badly 
written specification document can wreak havoc. Never 
mind deeper logical issues, system complexity, and the 
hundred and one other pressures that the poor “techni- 
cian” has to deal with. Good IT people develop a sort of 
sixth sense over time — call it intuition or whatever — that 
alerts them to danger. | continually have my leg pulled by 
colleagues at work because all my servers are backed 
up daily and every so often | check that the backups are 
valid. | will not take risks unless | have a plan B and pref- 
erably a plan C and D as well. So | go home at night, put 
my head on the pillow and sleep soundly. What gives 
me nightmares though is the disconnect between se- 
nior management and the technologists — especially 
where you have a department in the middle that demands 
their own 3rd party system — and get it. My IT sixth sense 
knows that the true cost of that system — fully supported, 
patched and maintained — will be way above the nego- 
» tiated and signed contract that is eventually agreed 

» upon. So we have IT by committee, built to a price 
» with excellence and worse case — best practice 
_ tomorrow. And when the wheel comes off, IT 
> will be will be the first port of call to support 
» asystem as after all we are only “techni- 
\ cians” and surely it can’t be that com- 
4 plicated to fix. It is no wonder that in 
| IT departments up and down the land, 
| staff have major difficulty in resisting 
~ the urge to display banners above their 
desk that say “I told you so”. Hopefully the 
tide is changing. Organisations are beginning to under- 
stand. My engineer manager friend (who is convinced | 
am a technician) bemoans the lack of “engineers” and 
freely admits that this is due to lack of candidates willing to 
work for peanuts. Yes, the downward pressure on salaries 
is a short term problem, but the bigger long term problem 
is the cultural divide. Maybe if a few CEO’s and CTO’s sat 
down with their 1T departments over a beer there would be 
less potential room for corporate embarrassment. 
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768GB 


of RAM in 1U 


KEY FEATURES 
IXR-22X4IB iIXR-1204+10G 
- Dual Intel® Xeon® Processors E5-2600 Family per node - Dual Intel® Xeon® Processors E5-2600 Family 
- Intel® C600 series chipset « Intel® C600 series chipset 
- Four server nodes in 2U of rack space « Intel® X540 Dual-Port 10 Gigabit Ethernet Controllers 
« Up to 256GB main memory per server node - Up to 16 Cores and 32 process threads 
« One Mellanox® ConnectX QDR 40Gbp/s Infiniband w/QSFP « Up to 768GB main memory 
Connector per node « Four SAS/SATA drive bays 
- 12 SAS/SATA drive bays, 3 per node ¢ Onboard SATA RAID 0, 1, 5, and 10 
« Hardware RAID via LSI2108 controller - 700W high-efficiency redundant power supply with 
« Shared 1620W redundant high-efficiency Platinum FC and PMBus (80%+ Gold Certified) 


level (91%+) power supplies 


Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com 








High-Density iXsystems Servers powered by the 
Intel® Xeon® Processor E5-2600 Family and Intel® 
C600 series chipset can pack up to 768GB of RAM 
into 1U of rack space or up to 8 processors - with 
up to 128 threads - in 2U. 


On-board 10 Gigabit Ethernet and Infiniband for Greater 
Throughput in less Rack Space. 


Servers from iXsystems based on the Intel® Xeon® Processor E5-2600 
Family feature high-throughput connections on the motherboard, saving 
critical expansion space. The Intel® C600 Series chipset supports up to 
384GB of RAM per processor, allowing performance in a single server to 
reach new heights. This ensures that you're not paying for more than you 
need to achieve the performance you want. 


The iXR-1204 +10G features dual onboard 10GigE + dual onboard 
1GigE network controllers, up to 768GB of RAM and dual Intel® Xeon® 
Processors E5-2600 Family, freeing up critical expansion card space for 
application-specific hardware. The uncompromised performance and 
flexibility of the iXR-1204 +10G makes it suitable for clustering, high-traffic 
webservers, virtualization, and cloud computing applications - anywhere 
you need the most resources available. 


For even greater performance density, the iXR-22X4IB squeezes four 
server nodes into two units of rack space, each with dual Intel® Xeon® 
Processors E5-2600 Family, up to 256GB of RAM, and an on-board Mellanox® 
ConnectX QDR 40Gbp/s Infiniband w/QSFP Connector. The iXR-22X4 IB is 
perfect for high-powered computing, virtualization, or business intelligence 
applications that require the computing power of the Intel® Xeon® Processor 
E5-2600 Family and the high throughput of Infiniband. 





Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries. 
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Reliable. 
Trusted by over 500 ISPs worldwide. 


Hyper is the first multimedia cache fully developed in Brazil, by Taghos. 
With Hyper, ISPs can save on network bandwidth while increasing 
content-delivery speeds, resulting in end-customer satisfaction. 






Features: 
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- Active monitoring 

- Automatic updates 

- Appliance or license 

- Easy deployment 

- Configuration and reports via 
web interface 





Up to 15 Mbps 
Up to 50 Mbps - 
Up to 100 Mbps X17 1x 160 GB 
Up to 150Mbps 1X 160 GB 
Up to 300 Mbps : Pal 1x 240 GB 
Up to 500 Mbps 7X2 1B 1x 480 GB 
100 Up to 1 Gbps G 10x 1 TB 1x 480 GB 
Remote Insta] Up to 2 Gbps 24x11B 3x 480 GB 


T3000 Up to 3 Gbps 8 G 32x 1 1B 5X 480 GB 


Using your hardware 


Visit us at WWW.taghos.com and start saving bandwidth today! 


